Bi-directional communication on TCP/UDP ports is required between the ESXi host and the Active Directory Domain Controller (via the netlogond process on the ESXi host). See Active Directory and Active Directory Domain Services Port Requirements and MS article 179442.

ESXi 5.x

5900 to 5964

TCP

ESXi 5.x

ESXi 5.x

RFB protocol, which is used by management tools such as VNC

ESXi Dump Collector

6500

UDP

ESXi

vCenter Server

Network coredump server

ESXi Dump Collector

8000

TCP

ESXi

vCenter Server

Network coredump web port

ESXi Syslog Collector

8001

TCP

ESXi

vCenter Server

Network syslog server

Guided Consolidation

135

TCP/UDP

Consolidation Target (Physical Server)

vCenter Converter Server

Microsoft DCE Locator Service, also known at End-Point Mapper

Guided Consolidation

137

TCP/UDP

Consolidation Target (Physical Server)

vCenter Converter Server

NetBIOS names service. Firewall administrators frequently see larger numbers of incoming packets to port 137. This is because of Windows servers that use NetBIOS (as well as DNS) to resolve IP addresses to names using the gethostbyaddr() function. As users behind the firewalls visit Windows-based Web sites, those servers frequently respond with NetBIOS lookups.

Guided Consolidation

138

TCP/UDP

Consolidation Target (Physical Server)

vCenter Converter Server

NetBIOS datagram Used by Windows, as well as UNIX services (such as SAMBA). Port 138 is used primarily by the SMB browser service that obtains Network Neighborhood information.

Guided Consolidation

139

TCP/UDP

Consolidation Target (Physical Server)

vCenter Converter Server

NetBIOS Session Windows File and Printer sharing.

Guided Consolidation

445

TCP/UDP

Consolidation Target (Physical Server)

vCenter Converter Server

DNS Direct Hosting port. In Windows 2000 and Windows XP, redirector and server components now support direct hosting for communicating with other computers running Windows 2000 or Windows XP. Direct hosting does not use NetBIOS for name resolution. DNS is used for name resolution, and the Microsoft networking communication is sent directly over TCP without a NetBIOS header. Direct hosting over TCP/IP uses TCP and UDP port 445 instead of the NetBIOS session TCP port 139.

Heartbeat

52267

TCP

vCenter Server Heartbeat Console

vCenter Server Heartbeat Server

Client Connection Port

Heartbeat

57348

TCP

vCenter Server Primary Server

vCenter Server Secondary Server

Default Channel Port to communicate between Primary and Secondary server

Used to obtain virtual infrastructure and virtual machine information from orchestrated vCenter Server(s) through the vCenter API

Orchestrator

636

TCP

VCO Server

LDAP Server

VCO uses LDAP authentication and group membership to determine role authorization in LCM and access to VMs/requests. This is the SSL secured LDAP protocol LDAPS (the SSL pendent of 389). This is used for secured LDAP authentication

Orchestrator

1433

TCP

VCO Server

Microsoft SQL Server

vCenter Orchestrator Server to Microsoft SQL Server for VCO Database

Orchestrator

1521

TCP

VCO Server

Oracle Database Server

vCenter Orchestrator Server to Oracle for VCO Database

Orchestrator

3306

TCP

VCO Server

MySQL Server

vCenter Orchestrator Server to MySQL Server for VCO Database

Orchestrator

5432

TCP

VCO Server

PostgresSQL Server

vCenter Orchestrator Server to PostgresSQL Server for VCO Database

Orchestrator

8230

TCP

VCO Client

VCO Server

Lookup port – The main port to communicate with Orchestrator Configurator server (JNDI port). All other ports communicate with the Orchestrator Configurator smart client through this one. It is part of the JBoss Application server infrastructure

Orchestrator

8240

TCP

VCO Client

VCO Server

Command port – The application communication port (RMI container port), it is used for remote invocations. It is part of the JBoss Application server infrastructure.

Orchestrator

8244

TCP

VCO Client

VCO Server

Data port used to access all Orchestrator data models, such as workflows and policies. It is part of the JBoss application server infrastructure.

Orchestrator

8250

TCP

VCO Client

VCO Server

Messaging port – The Java messaging port used to dispatch events. It is part of the JBoss Application server infrastructure

Orchestrator

8280

TCP

VCO Server

VCO Server

Port used by VCO Server to connect to the Web front-end via HTTP

Orchestrator

8281

TCP

VCO Server

VCO Server

Port used by VCO Server to connect to the Web front-end via HTTPS

Orchestrator

8281

TCP

vCenter Server

VCO Server

Port used by VCO Server to connect to vCenter Server to communicate with the vCenter API

Orchestrator

8282

TCP

VCO Client PC

VCO Server

HTTP server port – Port used by the HTTP connector to connect to the Web frontend.

Orchestrator

8283

TCP

VCO Client PC

VCO Server

HTTPS server port – Port used by HTTP connector to connect to the Web frontend. Requires Jetty to be configured for SSL.

This is the recommend port range from which to choose ports for Update Manager if ports 80 and 443 are already in use. Update Manager automatically opens these ports for ESX Host scanning and remediation.

Licensing via FlexLM. Only required by vCenter 4 if ESXi/ESX 3.x Hosts will be supported

vCenter 2.5.x

27000

TCP

VMware License Server

vCenter Server

Licensing via FlexLM. Only required by vCenter 4 if ESXi/ESX 3.x Hosts will be supported

vCenter 2.5.x

27010

TCP

vCenter Server

VMware License Server

Licensing via FlexLM. Only required by vCenter 4 if ESXi/ESX 3.x Hosts will be supported

vCenter 2.5.x

27010

TCP

VMware License Server

vCenter Server

Licensing via FlexLM. Only required by vCenter 4 if ESXi/ESX 3.x Hosts will be supported

vCenter 4.1

60099

TCP

vCenter Server

vCenter Server Services

This port is for internal communication between vCenter Server and its solutions. Specifically, it is used to exchange messages about inventory. If you do not have it open, a solution that integrates with vCenter Server using this service may be affected.

vCenter 4.x

25

TCP

vCenter Server

SMTP Server

Email notifications

vCenter 4.x

53

UDP

vCenter Server

DNS Server

DNS lookups

vCenter 4.x

80

TCP

Client PC

vCenter Server

Redirect Web Browser to HTTPS Service (443)

vCenter 4.x

80

TCP

vCenter Server

ESXi/ESX 4.x

DPM with IPMI (iLO/BMC) ASF Remote Management and Control Protocol

vCenter 4.x

80

TCP

VI / vSphere client

vCenter Server

Redirect Web Browser to HTTPS Service (443)

vCenter 4.x

88

UDP

vCenter Server

Active Directory Server

AD Authentication

vCenter 4.x

88

TCP

vCenter Server

Active Directory Server

AD Authentication

vCenter 4.x

135

TCP

vCenter Server

vCenter Server

Linked Mode

vCenter 4.x

161

UDP

SNMP Server

vCenter Server

SNMP Polling

vCenter 4.x

162

UDP

vCenter Server

SNMP Server

SNMP Trap Send

vCenter 4.x

389

TCP/UDP

vCenter Server

Linked vCenter Servers

Bi-directional LDAP authentication with Kerberos encryption on TCP port 389 is required between all vCenters that need to replicate.

Licensing via FlexLM. Only required by vCenter 4 if ESXi/ESX 3.x Hosts will be supported

vCenter 4.x

27000

TCP

VMware License Server

vCenter Server

Licensing via FlexLM. Only required by vCenter 4 if ESXi/ESX 3.x Hosts will be supported

vCenter 4.x

27010

TCP

vCenter Server

VMware License Server

Licensing via FlexLM. Only required by vCenter 4 if ESXi/ESX 3.x Hosts will be supported

vCenter 4.x

27010

TCP

VMware License Server

vCenter Server

Licensing via FlexLM. Only required by vCenter 4 if ESXi/ESX 3.x Hosts will be supported

vCenter 4.x

1024 (dynamic)

RPC

Linked vCenter Servers

Linked vCenter Servers

Bi-directional RPC communication on dynamic TCP ports is required between all vCenters that need to replicate (via ADAM). A VIC still needs a direct connection to all vCenters that own an object it needs to manage.

This is the LDAP port number for the Directory Services for the vCenter Server group. The vCenter Server system needs to bind to port 389, even if you are not joining this vCenter Server instance to a Linked Mode group. If another service is running on this port, you can run the LDAP service on any port from 1025 through 65535.

vCenter 5.x

443

TCP

vSphere Client

vCenter Server

vCenter Server system uses to listen for connections from the vSphere Client.

This is a web service, which is used to add host to Active Directory domain.

vCenter 5.x

60099

TCP

vCenter Server

vCenter Server

Web Service change service notification port

vCenter 5.x

1024 (dynamic)

RPC

Linked vCenter Servers

Linked vCenter Servers

Bi-directional RPC communication on dynamic TCP ports is required between all vCenters that need to replicate (via ADAM). A VIC still needs a direct connection to all vCenters that own an object it needs to manage.

vCenter Infrastructure Navigator 1.x

22

TCP

Client PC

vCenter Infrastructure Navigator Appliance

Enables SSH access to vCenter Infrastructure Appliance

vCenter Infrastructure Navigator 1.x

80

TCP

vCenter Infrastructure Navigator

vSphere Web service API

HTTP web service

vCenter Infrastructure Navigator 1.x

443

TCP

vCenter Infrastructure Navigator

vSphere Web service API

HTTPS web service

vCenter Infrastructure Navigator 1.x

443

TCP

vCenter Infrastructure Navigator

ESXi/ESX hosts and virtual machines

VIX protocol on target hosts to perform discovery

vCenter Infrastructure Navigator 1.x

902

TCP

vCenter Infrastructure Navigator

ESXi/ESX hosts and virtual machines

VIX protocol on target hosts to perform discovery

vCenter Infrastructure Navigator 1.x

2868

TCP

vCenter Server

vCenter Infrastructure Navigator

Plug-in downloads. This download happens as part of the registration process.

VDM Web Access (not required if only HTTPS is to be supported). The Security Server used as a proxy in a DMZ to allow for external connections in. The View Manager/Connection Broker has an ADAM instance on it.

View/VDM 2.x

80

TCP

View/VDM Client

View/VDM Connection Server

VDM Access (not required if only HTTPS is to be supported)

View/VDM 2.x

80

TCP

Client PC

View/VDM Connection Server

VDM Web Access (not required if only HTTPS is to be supported).

View/VDM 2.x

88

UDP

View/VDM Connection Server/View Manager

Active Directory Server

AD Authentication

View/VDM 2.x

88

TCP

View/VDM Connection Server/View Manager

Active Directory Server

AD Authentication

View/VDM 2.x

389

TCP/UDP

View/VDM Connection Server/View Manager

LDAP Server

LDAP Authentication

View/VDM 2.x

443

TCP

View/VDM Client

View/VDM Security Server

VDM Access

View/VDM 2.x

443

TCP

Client PC

View/VDM Connection Server/View Manager

VDM Web Access and VDM Administration

View/VDM 2.x

443

TCP

Thin Client

View/VDM Connection Server/View Manager

VDM API

View/VDM 2.x

443

TCP

View/VDM Client

View/VDM Connection Server/View Manager

VDM Access

View/VDM 2.x

443

TCP

Client PC

View/VDM Security Server

VDM Web Access (Web Browser)

View/VDM 2.x

443

TCP

View/VDM Connection Server/View Manager

vCenter Server

VDM to vCenter communication

View/VDM 2.x

445

UDP

View/VDM Connection Server/View Manager

Active Directory Server

AD Authentication

View/VDM 2.x

445

TCP

View/VDM Connection Server/View Manager

Active Directory Server

AD Authentication

View/VDM 2.x

3389

TCP

View/VDM Security Server

Virtual Desktop VM (View/VDM Agent)

Tunneled RDP Connection (RSA RC4 encryption, can be set High/Medium/Low)

View/VDM 2.x

3389

TCP

Client PC/Thin Client/View/VDM Client

Virtual Desktop VM (View/VDM Agent)

Direct RDP Connection (RSA RC4 encryption, can be set High/Medium/Low).